On Saturday, January 9, 2016 at 11:24:31 AM UTC-5, cub...@gmail.com wrote: > On Thursday, January 7, 2016 at 12:08:10 AM UTC+1, Paul Wouters wrote: > > As was in the news before, Kazakhstan has issued a national MITM > > Certificate Agency. > > > > Is there a policy on what to do with these? While they are not trusted, > > would it be useful to explicitely blacklist these, as to make it > > impossible to trust even if the user "wanted to" ? > > > > The CA's are available here: > > http://root.gov.kz/root_cer/rsa.php > > http://root.gov.kz/root_cer/gost.php > > > > One site that uses these CA's is: > > https://pki.gov.kz/index.php/en/forum/ > > > > Paul > > Hi there, > > If I may briefly jump in with a small observation regarding the above certs: > in both, the issuer is different from the subject, which is rather unusual. > Isn't that a problem? > > Regards, > > Sven Faw > @hexatomium
Correct, this is because the submitted certificate download URL is wrong: > http://pki.gov.kz/cert/pki_rsa.cer If you pull this certificate and look at it's AIA, then pull the authoritative certificate from the url: > openssl x509 -inform der -in pki_rsa.cer -text -noout > .. > Authority Information Access: > CA Issuers - URI:http://root.gov.kz/cert/root_rsa.cer You can then verify its fingerprint, startdate and enddate match the inclusion request (adjusting for Alma-Ata local time which us UTC+6). Also no test URL is provided. (https://wiki.mozilla.org/CA:Information_checklist #11). Brian _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy